Re: jabberd-2.3.0 release

2013-11-26 Thread Eric Koldeweij

Christof,

I had the same problem, luckily I ran on a test server. I could not even 
login with my client.


There has been a change in sx/ssl.c line 899. The line now reads
ctx = SSL_CTX_new(TLSv1_2_method());

This means that it will support TLS v1.2 only. Connections using SSLv3 
or TLS v1.1 and earlier are not accepted any more. There is also another 
issue that if a secure connection cannot be established for any reason 
(incompatible protocol or verification failed or similar) it will retry 
many times in very rapid succession for 10 minutes.


You can get the old behavior back by changing the line above back to the 
2.2.17 version:

ctx = SSL_CTX_new(SSLv23_method());

I think a better solution would be to use the SSLv23_method and disable 
SSLv3 with an option immediately after:


SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3);

I have not tested this yet but as far as I can see it will leave you 
with support for TLS v1.0, v1.1 and v1.2.
An even better solution would be to make the SSL settings 
user-configurable. This is not trivial to do though.


Regards,
Eric.


On 11/26/13 07:40, Christof Meerwald wrote:

On Mon, 18 Nov 2013 17:18:07 +0100, Tomasz Sterna wrote:

Next jabberd2 release is finally available.

Get 2.3.0 release at GitHub: https://github.com/jabberd2/jabberd2/releases

I tried upgrading from 2.2.17 to 2.3.0 yesterday, but that left me
with a broken server. The s2s component now just connects to a remote
server, switches the stream to TLS, gets the certificate, disconnects
and immediately connects again. The log file doesn't give any reason
for this connection/disconnection loop and it's not clear what
configuration settings need to be updated to make it work again (as
the NEWS file isn't that helpful). But as there is no delay between
the connects/disconnects (and no useful error message), this behaviour
might be considered a bug anyway...

Guess I'll have to do some debugging and code reviewing in the next
few days...


Christof







Re: jabberd-2.3.0 release

2013-11-26 Thread Carlos Lopez
If you are interested you can try the changes I made in 
http://suchat.org/sx/ssl.c

For protocols TLS v1.0, v1.1 and v1.2.

Carlos
El 26/11/13 10:11, Eric Koldeweij escribió:

Christof,

I had the same problem, luckily I ran on a test server. I could not 
even login with my client.


There has been a change in sx/ssl.c line 899. The line now reads
ctx = SSL_CTX_new(TLSv1_2_method());

This means that it will support TLS v1.2 only. Connections using SSLv3 
or TLS v1.1 and earlier are not accepted any more. There is also 
another issue that if a secure connection cannot be established for 
any reason (incompatible protocol or verification failed or similar) 
it will retry many times in very rapid succession for 10 minutes.


You can get the old behavior back by changing the line above back to 
the 2.2.17 version:

ctx = SSL_CTX_new(SSLv23_method());

I think a better solution would be to use the SSLv23_method and 
disable SSLv3 with an option immediately after:


SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3);

I have not tested this yet but as far as I can see it will leave you 
with support for TLS v1.0, v1.1 and v1.2.
An even better solution would be to make the SSL settings 
user-configurable. This is not trivial to do though.


Regards,
Eric.


On 11/26/13 07:40, Christof Meerwald wrote:

On Mon, 18 Nov 2013 17:18:07 +0100, Tomasz Sterna wrote:

Next jabberd2 release is finally available.

Get 2.3.0 release at GitHub: 
https://github.com/jabberd2/jabberd2/releases

I tried upgrading from 2.2.17 to 2.3.0 yesterday, but that left me
with a broken server. The s2s component now just connects to a remote
server, switches the stream to TLS, gets the certificate, disconnects
and immediately connects again. The log file doesn't give any reason
for this connection/disconnection loop and it's not clear what
configuration settings need to be updated to make it work again (as
the NEWS file isn't that helpful). But as there is no delay between
the connects/disconnects (and no useful error message), this behaviour
might be considered a bug anyway...

Guess I'll have to do some debugging and code reviewing in the next
few days...


Christof












Re: jabberd-2.3.0 release

2013-11-26 Thread Tomasz Sterna
Dnia 2013-11-26, wto o godzinie 07:40 +0100, Christof Meerwald pisze:
 I tried upgrading from 2.2.17 to 2.3.0 yesterday, but that left me
 with a broken server. The s2s component now just connects to a remote
 server, switches the stream to TLS, gets the certificate, disconnects
 and immediately connects again.

I guess the network is not that ready for 'TLS Everywhere' [1] yet.

Maybe it is worth releasing 2.2.18 without that change.


[1] https://github.com/jabberd2/jabberd2/commit/ad9ead7816

-- 
Tomasz Sterna @ http://abadcafe.pl/ @ http://www.xiaoka.com/





Re: jabberd-2.3.0 release

2013-11-25 Thread ungift-ed
On Tue, 26 Nov 2013 07:40:14 +0100
 Christof Meerwald wrote:

 On Mon, 18 Nov 2013 17:18:07 +0100, Tomasz Sterna wrote:
  Next jabberd2 release is finally available.
 
  Get 2.3.0 release at GitHub: https://github.com/jabberd2/jabberd2/releases
 
 I tried upgrading from 2.2.17 to 2.3.0 yesterday, but that left me
 with a broken server. The s2s component now just connects to a remote
 server, switches the stream to TLS, gets the certificate, disconnects
 and immediately connects again.

Same here with 2.2.17 and TLS Everywhere 
(https://github.com/jabberd2/jabberd2/commit/ad9ead7816e23f48d9b46905bcbe17b7b4b6a910)

jabber.ru / yandex.ru doesn't work with TLSv1_2
jabber.ru doesn't work with TLSv1_1
TLSv1 work with both jabber.ru and yandex.ru
Have to use TLSv1 here







jabberd-2.3.0 release

2013-11-18 Thread Tomasz Sterna

Next jabberd2 release is finally available.

Get 2.3.0 release at GitHub: https://github.com/jabberd2/jabberd2/releases


This release packs many new features and load of bugfixes.
Also introducing Semantic Versioning scheme
and TLS Everywhere recommendation.

Many, many thanks to all contributors. :-)


Changes:
  * Renamed non-standard UPGRADE file overwriting outdated NEWS file
  * Semantic Versioning: http://semver.org/ 
  * TLS Everywhere: https://github.com/stpeter/manifesto 
  * Required GSASL =1.1
  * jabberd should compile without warnings
  * out-of-source builds should work
  * pgsql: authreg password_type support
  * pgsql: schema support
  * ldapvcard: groupattr works even if no groupattr_regex defined
  * ldapfull: checks for ldap group membership on login
  * vCard: Assume tel phone is voice phone
  * MySQL: default password hashing algorithm changed to SHA512
  * out-conn-reuse s2s.xml option naming unified
  * XML parse error will log buffer details
  * CRAM-MD5 auth support
  * router private key cachain and password support
  * hashed passwords support in SQLite3 storage

For a full change log see: 
https://github.com/jabberd2/jabberd2/commits/jabberd-2.3.0





-- 
Tomasz Sterna @ http://abadcafe.pl/ @ http://www.xiaoka.com/